Legal claims defining the scope of protection, as filed with the USPTO.
1. A method of authenticating a user request of a user to gain access to a computerized service, the method comprising: upon receiving the user request, the computerized service transmitting an authentication request to an authentication service, along with user information and authentication request data that includes user request information associated with the user request and information about the computerized service including a callback address of the computerized service, wherein the authentication request data includes at least one of an identification of the computerized service, session data related to the user request which includes session login information, the computerized service being requested and an identifier generated at the computerized service to identify the user request, upon receiving the authentication request, the authentication service transmitting an approval request to a user device of the user, the approval request including at least a portion of the authentication request data, wherein the user device and user identity information included in the user information are pre-registered with the authentication service, the computerized service computing a verification result from a user approval response received from and generated at the user device, public user data and the authentication request data, the user approval response being generated at the user device from both the authentication request data received at the user device and additional private user data that is cryptographically related to the public user data and a copy of the user identity information stored at the user device, the user approval response being transmitted from the user device to the callback address of the computerized service directly without further utilization of the authentication service, the callback address being included in both the authentication request data received at the authentication service and the portion of the authentication request data received at the user device, and the computerized service granting access as requested in the user request only upon successful verification of the user approval response being cryptographically related to the additional private user data stored at the user device and the authentication request data transmitted from the computerized service.
2. The method of claim 1 , wherein the user approval response is generated according to input received from the user at the user device.
3. The method of claim 1 , wherein the user has a pair of public and private encryption keys, the additional private user data including the private encryption key and the public user data including the public encryption key, and wherein the user approval response is generated from the authentication request data utilizing the private encryption key and the verification result is computed at the computerized service utilizing the public encryption key.
4. The method of claim 3 , wherein the user approval response includes a digital signature signed using the private encryption key and the verification result computed includes a computed verification of the digital signature, and wherein the computerized service grants access to the user request upon successful verification of the digital signature.
5. The method of claim 1 , wherein the user device communicates with the computerized service over communication network and the callback address is a callback network address.
6. The method of claim 1 , wherein the authentication service is provided by an authentication server connected to both the computerized service and the user device over communication network, and the authentication server transmits the authentication request through a message relay server connected to the communication network, the method further comprising the steps of, prior to generating the user approval response: the user device registering the user identity information and message relay information to the authentication server, the message relay information identifying the message relay server for relying transmission to the user device, and the authentication server storing the user identity information and the message relay information in an associated relationship, and the step of transmitting by the authentication service further comprising: retrieving the message relay information based on the association between the user identity information and the message relay information to identify the message relay server, and effectuating the transmission from the authentication service to the user device by first transmitting to the message relay service for the message relay service to transmit to the user device.
7. The method of claim 6 , wherein the authentication server verifies cryptographically both the user identity information and the message relay information being originated from the user or the user device prior to associating the user identity information with the message relay information.
8. The method of claim 7 , wherein the message relay information identifies a relay channel connecting the user device to the message relay service, and wherein the message relay server completes the transmission by transmission through, at least partially, the relay channel.
9. The method of claim 8 , wherein the relay channel is unique to the user device.
10. The method of claim 8 , the method comprising the further steps of, after receiving the authentication request data at the authentication server: the authentication server forwarding the authentication request data to the message relay service, identifying to the message relay service the relay channel, and the user device receiving the authentication request data from the message relay service through the relay channel.
11. The method of claim 8 , wherein the relay channel is designated by the message relay service, the method further comprising the steps of, prior to generating the user approval response: the user device receiving the message relay information from the message relay service and transmitting the message relay information to the authentication server, and the authentication server storing the message relay information and the user identity information on a non-transient storage device in an associated manner.
12. The method of claim 6 , herein the user has a pair of public and private encryption keys, and the step of registering the user identity information and the message relay information further comprising: selecting the user identity information data for inclusion in the user information; obtaining a digital certificate issued by a certification authority and generated from the user identity information data and the public encryption key; obtaining from the message relay service the message relay information that includes channel identification data identifying a relay channel for connecting the user device to the message relay service, transmitting the digital certificate and the channel identification data to the authentication server; the authentication server generating a challenge and sending the challenge to the user device; the user device, generating a registration signature, using the private encryption key, from the challenge, the channel identification data and the user identity information data, and transmitting the registration signature to the authentication server for verification; the authentication server associating the user identity information data with the channel identification data if the registration signature is successfully verified.
13. The method of claim 1 , wherein the computerized service and the authentication service are executing on the user device, the method comprising the further step of: the computerized service providing an internal address within the user device as the return destination.
14. The method of claim 13 , wherein the authentication request data includes the session login information, the method further comprising the steps of: the computerized service rendering the session login information for inspection by the user, receiving an indication of approval of the access request from the user entered using the user device, generating the user approval response according to the indication of approval, and sending the user approval response to the internal address.
15. The method of claim 13 , wherein the user has a pair of public and private encryption keys, and wherein generating the user approval response includes generating a digital signature using the user's private encryption key, sending the user approval response includes sending the digital signature to the internal address, and verification of the user approval response includes verification of the digital signature by the computerized service using the public encryption key.
16. The method of claim 1 , the method comprising the further step of: upon receiving the authentication request data, the user device rendering the authentication request data for user inspection, wherein the user device generating the user approval response only after receiving an approval confirmation from the user entered using the user device.
17. The method of claim 16 , the method further comprising the step of: the computerized service rendering at least a portion of the authentication request data for visual display to the user for user comparison.
18. The method of claim 17 , wherein the user initiates the user request from a user terminal remote from the computerized service, the method further comprising the step of: the computerized service transmitting to the user terminal through a secure channel information rendered for visual display at the user terminal.
19. The method of claim 17 , wherein both the user device and the computerized service renders the login information for visual display to the user and for user comparison.
20. A system for providing a computerized service to a user that requires authentication of the user, the user having a pair of public encryption key and a corresponding private encryption key and having a user device that has stored thereon the private encryption key and user identity information, the system comprising: a service hardware device having a computerized service executing thereon; an authentication hardware device having an authentication service executing thereon, the authentication hardware device being connectable with the service hardware device for receiving authentication request from the computerized service and connectable with the user device for forwarding approval request, the user device and the user identity information being pre-registered with the authentication service; a user interface connected to the service hardware device, for receiving and forwarding to the computerized service a user request to gain access to the computerized service; the computerized service being configured to generate authentication request data and forward an authentication request, a copy of the user identify information, and the authentication request data to the authentication service upon receiving the user request, the authentication request data including user request information associated with the user request and information about the computerized service including a callback address of the computerized service; the authentication service being configured to transmit an approval request to the user device upon receiving the authentication request, the approval request including at least a portion of the authentication request data, wherein the user device generates a user approval response from the portion of the authentication request data included in the approval request and the user's private key and transmits the user approval response to the callback address of the computerized service directly without further utilization of the authentication service; and the computerized service being further configured to compute a verification result from the user approval response received directly from the user device, the verification requiring both the user's public encryption key and response data included in the user approval response, and to grant access as requested in the user request only upon successful verification of the user approval response being cryptographically related to the user's private encryption key stored at the user device and the portion of the authentication request data transmitted from the computerized service.
21. The system of claim 20 , wherein the response data includes a digital signature generated at the user device from the portion of the authentication request data and the private encryption key, and wherein the verification of the user approval response includes verification of the digital signature at the computerized service.
22. The system of claim 20 , wherein the authentication service resides in an authentication server separate from the service hardware device and wherein both the authentication server and the service hardware device communicate with the user device over a communication network, and the system further comprising: data communication connection interface at the authentication server for connection to a message relay server, the message relay server maintaining a relay channel between the message relay server and the user device, wherein the authentication server is configured to transmit approval request together with message relay information to the message relay server, the message relay information identifying the relay channel to the message relay server for the message relay server to forward the approval request to the user device using the relay channel.
23. The system of claim 22 , further comprising: a non-transient storage device for the authentication service, the non-transient storage device having stored thereon the user identity information and the message relay information in an associated relationship.
24. The system of claim 23 , further comprising: a cryptographic unit, the cryptographic unit performing cryptographic functions to verify cryptographically both the user identity information and the message relay information being originated from the user and being configured to send verification result to the authentication server.
25. The system of claim 22 , wherein the callback address is a callback network address of the computerized service.
26. The system of claim 25 , wherein the callback network address is selected and included in the authentication request data by the computerized service.
27. The system of claim 20 , wherein the computerized service and the authentication service are executing on the user device, and the callback address is an internal address within the user device.
28. The system of claim 27 wherein the user device has stored thereon additionally a public-key certificate, and wherein the authentication service is further configured to, in response to receiving a first authentication request from the computerized service without being provided with user information: generate a first user approval response using the private encryption key upon receiving an input at the user device indicating user approval, send the first user approval response and the public-key certificate to the computerized service for the computerized service to verify the first user approval response and to extract the user identity information from the public-key certificate, and wherein the computerized service is further configured to, prior to generating the authentication request data: generate the first authentication request upon receiving a user request that lacks the user identity information, send the first authentication request to the authentication service, and verify the first user approval response returned from the authentication service and retrieve the user identity information from the public-key certificate for sending with the authentication request.
29. A communication device for providing authentication of a user to a networked service, the networked service being connected to an authentication server over a communication network, the user having a pair of public and private encryption keys, said communication device comprising: a cryptographic unit; a user I/O unit; a network interface for connecting the communication device to the communication network; a non-transient storage device having computer instructions, user identity information and the private encryption key stored thereon; and a microprocessor for executing the stored computer instructions stored; wherein the stored computer instructions, upon being executed by the microprocessor, cause the microprocessor to perform steps of a method comprising the steps of: upon receiving an approval request from the authentication server through the network interface, the approval request including authentication request data generated at the networked service in response to an access request initiated by or on behalf of the user, the authentication request data including user request information associated with the user request and information about the networked service being accessed, the information about the networked service including a callback network address of the networked service; rendering the authentication request data on the user I/O unit for user inspection; receiving an input indicating user approval from the user at the user I/O unit; generating a user approval response based on the user input, the user approval including an authentication signature computed by the cryptographic unit from the authentication request data, the user identity information, and the private encryption key stored on the memory storage device; transmitting the authentication signature directly to the callback network address of the networked service utilizing the network interface and without further utilization of the authentication server, the callback network address being contained in both the authentication request data and the approval request.
30. The communication device of claim 29 , wherein the method steps performed by the microprocessor further comprising: requesting the message relay service to designate the communication channel and receiving from the message relay service the channel identification information data that identifies the communication channel; and registering the user identity information and the message service information with the authentication server in an associated manner.
31. The communication device of claim 29 , wherein the authentication signature is a digital signature computed from a triplet of the user identity information, the call back network address, and an identifier generated at the computerized service pairing the user request with the user identity information, and signed using the private encryption key.
Unknown
November 20, 2018
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.